Re: [D] Restrict charts [superset]

[via GitHub]

GitHub user dosubot[bot] added a comment to the discussion: Restrict charts

<!-- Answer -->
You can create a custom chart filter in Superset to show only charts owned by 
the current user and by users whose emails or usernames you provide. Here’s how 
you can approach it:

1. **Backend filter logic**: In `superset/charts/filters.py`, create a filter 
that:
   - Checks if the current user is admin (using `security_manager.is_admin()`); 
if so, returns all charts.
   - Otherwise, builds a list of user IDs: the current user plus those resolved 
from your provided emails/usernames (using 
`security_manager.get_user_by_username(username)` and querying 
`security_manager.user_model.email`).
   - Filters charts where any owner matches one of those user IDs.

Example:

```python
from superset.charts.filters import BaseFilter
from superset.models.slice import Slice
from superset.security import get_user_id, security_manager
from sqlalchemy import or_

class ChartOwnedByMeOrUsersFilter(BaseFilter):
    name = "Owned by me or specific users"
    arg_name = "chart_owned_by_me_or_users"

    def apply(self, query, value):
        if security_manager.is_admin():
            return query  # Admins see all charts

        user_ids = [get_user_id()]
        # value should be a list of usernames/emails
        for identifier in value or []:
            user = security_manager.get_user_by_username(identifier)
            if not user:
                # Try email lookup if username fails
                user = 
security_manager.get_session.query(security_manager.user_model).filter(
                    security_manager.user_model.email == identifier
                ).one_or_none()
            if user:
                user_ids.append(user.id)
        # Remove duplicates
        user_ids = list(set(user_ids))
        return 
query.filter(Slice.owners.any(security_manager.user_model.id.in_(user_ids)))
```
You can pass the list of usernames/emails as a query parameter to the API 
(e.g., `?chart_owned_by_me_or_users=["alice","b...@example.com"]`). Handle 
missing users gracefully—ignore them or log a warning.

2. **Register the filter**: In `superset/charts/api.py`, add your filter to 
`base_filters` or `search_filters` in `ChartRestApi` so it’s applied globally 
or as a selectable filter.

3. **Frontend**: If you want users to select which users to include, expose the 
filter in the chart list UI. Otherwise, enforce it in the backend so only the 
allowed charts are returned.

This pattern follows how Superset filters by ownership and user relationships 
in existing chart filters 
([reference](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/charts/filters.py)),
 and uses security manager helpers for user lookup 
([reference](https://github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/security/manager.py)).
 There’s no built-in config for this, so backend customization is required.

Let me know if you want more details on error handling, performance, or 
frontend integration!


<!-- Dosu Comment Footer -->
*To reply, just mention [@dosu](https://go.dosu.dev/dosubot).*

---
<sup>How did I do? 
[Good](https://app.dosu.dev/response-feedback/f4b496e2-9b25-46f4-8ed6-f6eb69074edb?feedback_type=great_response)
 | 
[Irrelevant](https://app.dosu.dev/response-feedback/f4b496e2-9b25-46f4-8ed6-f6eb69074edb?feedback_type=irrelevant_answer)
 | 
[Incorrect](https://app.dosu.dev/response-feedback/f4b496e2-9b25-46f4-8ed6-f6eb69074edb?feedback_type=incorrect_sources)
 | 
[Verbose](https://app.dosu.dev/response-feedback/f4b496e2-9b25-46f4-8ed6-f6eb69074edb?feedback_type=too_verbose)
 | 
[Hallucination](https://app.dosu.dev/response-feedback/f4b496e2-9b25-46f4-8ed6-f6eb69074edb?feedback_type=hallucination)
 | [Report 
🐛](https://app.dosu.dev/response-feedback/f4b496e2-9b25-46f4-8ed6-f6eb69074edb?feedback_type=bug_report)
 | 
[Other](https://app.dosu.dev/response-feedback/f4b496e2-9b25-46f4-8ed6-f6eb69074edb?feedback_type=other)</sup>

[![Chat with 
Dosu](https://dosu.dev/dosu-chat-badge.svg)](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github)&nbsp;[![Open
 in 
Cursor](https://dosu.dev/dosu-in-cursor.svg)](https://cursor.com/link/prompt?text=You%20can%20create%20a%20custom%20chart%20filter%20in%20Superset%20to%20show%20only%20charts%20owned%20by%20the%20current%20user%20and%20by%20users%20whose%20emails%20or%20usernames%20you%20provide.%20Here%E2%80%99s%20how%20you%20can%20approach%20it%3A%0A%0A1.%20%2A%2ABackend%20filter%20logic%2A%2A%3A%20In%20%60superset/charts/filters.py%60%2C%20create%20a%20filter%20that%3A%0A%20%20%20-%20Checks%20if%20the%20current%20user%20is%20admin%20%28using%20%60security_manager.is_admin%28%29%60%29%3B%20if%20so%2C%20returns%20all%20charts.%0A%20%20%20-%20Otherwise%2C%20builds%20a%20list%20of%20user%20IDs%3A%20the%20current%20user%20plus%20those%20resolved%20from%20your%20provided%20emails/usernames%20%28using%20%60security_manager.get_user_by_username%28userna
 
me%29%60%20and%20querying%20%60security_manager.user_model.email%60%29.%0A%20%20%20-%20Filters%20charts%20where%20any%20owner%20matches%20one%20of%20those%20user%20IDs.%0A%0AExample%3A%0A%0A%60%60%60python%0Afrom%20superset.charts.filters%20import%20BaseFilter%0Afrom%20superset.models.slice%20import%20Slice%0Afrom%20superset.security%20import%20get_user_id%2C%20security_manager%0Afrom%20sqlalchemy%20import%20or_%0A%0Aclass%20ChartOwnedByMeOrUsersFilter%28BaseFilter%29%3A%0A%20%20%20%20name%20%3D%20%22Owned%20by%20me%20or%20specific%20users%22%0A%20%20%20%20arg_name%20%3D%20%22chart_owned_by_me_or_users%22%0A%0A%20%20%20%20def%20apply%28self%2C%20query%2C%20value%29%3A%0A%20%20%20%20%20%20%20%20if%20security_manager.is_admin%28%29%3A%0A%20%20%20%20%20%20%20%20%20%20%20%20return%20query%20%20%23%20Admins%20see%20all%20charts%0A%0A%20%20%20%20%20%20%20%20user_ids%20%3D%20%5Bget_user_id%28%29%5D%0A%20%20%20%20%20%20%20%20%23%20value%20should%20be%20a%20list%20of%20usernames/emails%0A%20
 
%20%20%20%20%20%20%20for%20identifier%20in%20value%20or%20%5B%5D%3A%0A%20%20%20%20%20%20%20%20%20%20%20%20user%20%3D%20security_manager.get_user_by_username%28identifier%29%0A%20%20%20%20%20%20%20%20%20%20%20%20if%20not%20user%3A%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%23%20Try%20email%20lookup%20if%20username%20fails%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20user%20%3D%20security_manager.get_session.query%28security_manager.user_model%29.filter%28%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20security_manager.user_model.email%20%3D%3D%20identifier%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%29.one_or_none%28%29%0A%20%20%20%20%20%20%20%20%20%20%20%20if%20user%3A%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20user_ids.append%28user.id%29%0A%20%20%20%20%20%20%20%20%23%20Remove%20duplicates%0A%20%20%20%20%20%20%20%20user_ids%20%3D%20list%28set%28user_ids%29%29%0A%20%20%20%20%20%20%20%20return%20query.filter%28Slice.owners.any%28security_mana
 
ger.user_model.id.in_%28user_ids%29%29%29%0A%60%60%60%0AYou%20can%20pass%20the%20list%20of%20usernames/emails%20as%20a%20query%20parameter%20to%20the%20API%20%28e.g.%2C%20%60%3Fchart_owned_by_me_or_users%3D%5B%22alice%22%2C%22bob%40example.com%22%5D%60%29.%20Handle%20missing%20users%20gracefully%E2%80%94ignore%20them%20or%20log%20a%20warning.%0A%0A2.%20%2A%2ARegister%20the%20filter%2A%2A%3A%20In%20%60superset/charts/api.py%60%2C%20add%20your%20filter%20to%20%60base_filters%60%20or%20%60search_filters%60%20in%20%60ChartRestApi%60%20so%20it%E2%80%99s%20applied%20globally%20or%20as%20a%20selectable%20filter.%0A%0A3.%20%2A%2AFrontend%2A%2A%3A%20If%20you%20want%20users%20to%20select%20which%20users%20to%20include%2C%20expose%20the%20filter%20in%20the%20chart%20list%20UI.%20Otherwise%2C%20enforce%20it%20in%20the%20backend%20so%20only%20the%20allowed%20charts%20are%20returned.%0A%0AThis%20pattern%20follows%20how%20Superset%20filters%20by%20ownership%20and%20user%20relationships%20in%20exis
 
ting%20chart%20filters%20%28%5Breference%5D%28https%3A//github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/charts/filters.py%29%29%2C%20and%20uses%20security%20manager%20helpers%20for%20user%20lookup%20%28%5Breference%5D%28https%3A//github.com/apache/superset/blob/829e4d92d91ceae4b43b1ed3b063ffe45377799c/superset/security/manager.py%29%29.%20There%E2%80%99s%20no%20built-in%20config%20for%20this%2C%20so%20backend%20customization%20is%20required.%0A%0ALet%20me%20know%20if%20you%20want%20more%20details%20on%20error%20handling%2C%20performance%2C%20or%20frontend%20integration%21)&nbsp;[![Join
 
Discord](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&label=)](https://go.dosu.dev/discord-bot)&nbsp;[![Share
 on 
X](https://img.shields.io/badge/X-share-black)](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/discussions/36259)

GitHub link: 
https://github.com/apache/superset/discussions/36259#discussioncomment-15073553

----
This is an automatically sent email for notifications@superset.apache.org.
To unsubscribe, please send an email to: 
notifications-unsubscr...@superset.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org
For additional commands, e-mail: notifications-h...@superset.apache.org